Share via


Help: Allow IPSec traffic to bypass Windows Firewall

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To allow IPSec traffic to bypass Windows Firewall

  1. Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

  2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, and then click Windows Firewall.

  3. In the details pane, double-click Windows Firewall: Allow authenticated IPSec bypass.

  4. In the Windows Firewall: Allow authenticated IPSec bypass properties dialog box, on the Settings tab, click Enabled.

  5. In Define IPSec peers to be exempted from firewall policy, type the Security Descriptor Definition Language (SDDL) string that corresponds to the group accounts for the computers to which this policy applies, and then click OK.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

  • Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.

  • This procedure allows unsolicited incoming messages from specified systems that authenticate using IPSec.

  • You cannot use Windows Firewall in Control Panel or the netsh firewall command to perform this procedure.

  • The format of the SDDL string for a single group is:

    O:DAG:DAD:(A;;RCGW;;;SID)

    Where SID is the Security Identifier (SID) of a group account.

  • You can use the Getsid.exe tool to obtain the SID of a group account. Getsid.exe is typically used to compare the SIDs of two accounts on different domain controllers, but you can also use it to obtain the SID of a specified user or group account. For more information about Getsid.exe, see the Windows Server 2003 Resource Kit Tools Web site.

  • If you have more than one group, then the syntax for the SDDL string is:

    O:DAG:DAD:(A;;RCGW;;;SID1) (A;;RCGW;;;SID2) (A;;RCGW;;;SID3)...

  • If you enable the Windows Firewall: Allow authenticated IPSec bypass policy setting, and then later disable the policy setting or change it to Not Configured, Windows Firewall deletes the SDDL string.

See Also

Concepts

Help: Administering Windows Firewall with Group Policy